In light of the latest news of the Yahoo hack, it’s time for me to re-visit my online security, both work and personal. And this should go for everyone, companies need to take note and help their employees to be safer and to be more aware, not least because it’s highly likely that many will be re-using passwords, even using the same passwords for personal accounts as their work ones.
I can’t be smug about this myself either, I’ve got multiple passwords that I re-use amongst a variety of sites and some of them aren’t based on one of my now standard 27+ character passwords! I know, that might sound crazy to some, but password length really does matter, as does complexity and yet still, it's not enough.
I do have an element of rotation though, this helps improve my protection for sure regardless, I have been too relaxed (read lazy!) when it comes to my online security.
Over the last 12 months there have been what feels like an increasing number of high-profile hacks and data leaks and last night’s news was, for me at least, the final warning that I really MUST take action.
Over half the world are not online, apparently. So that means on average around 1 in 3 could have had their credentials stolen in this hack alone. It’s a fairly safe bet that the majority of those re-use the same password for multiple sites, and those details are available on the black market.
Something else I learned yesterday, is that there are sites available where you can upload a text files of stolen credentials (which can be purchased incredibly cheaply), they will (for a ridiculously tiny fee) run those credentials against multiple websites and return a definitive list of sites where the credentials are active. When it’s this easy for someone to obtain and verify your credentials it’s absolutely crucial to ensure that at the very least you use two-factor authentication OR strong, unique passwords for each different website (and in this case a password manager using two-factor authentication would be essential) to ensure that even when your credentials are stolen, they are still not able to be used.
There’s a little Q&A that I had with a client below that will explain a little more about Two-factor Authentication.
Using two-factor authentication should be standard or mandatory these days. Passwords may be the weakest link in security yet for reasons of laziness, I’ve not used it on more than one or two sites. This has changed since last night’s disclosure from Yahoo.
1 BILLION ACCOUNTS!
I have a Yahoo account, I don’t use it very often, in fact, pretty much never. And it’s not tied to my name thankfully, nor is it used elsewhere, but it’s made me think hard about convenience vs safety of my online identities.
Just some of the sites I’ve enabled multi-factor authentication on today:
• Office 365
I already had it running on
I’m going to continue looking at the available options on my other commonly used sites this morning and for those that don’t have options available, I will be ensuring I change my passwords.
A very helpful site: https://haveibeenpwned.com/ - can be used to input your various email addresses to see if you’ve previously been a victim of leaked credentials in a number of prior known hacks, it’s not a full and definitive list but it’s quite frightening when you see it come back with the “Oh no – pwned!” message!
• What does two-factor authentication mean?
Two-factor (or multi-factor) authentication is where you use your user ID and password as your initial login but get challenged for a one-time code sent via SMS or generated by an authenticator app which generates codes to prevent risks associated with password theft.
• What policy/management we should seek to apply for password management within our business?
I would recommend all services used have two-factor authentication enabled, it’s a minor pain in the rear-end, but it’s certainly better than dealing with the fallout of compromised accounts. Besides, most sites allow you to set your personal comptuer as “trusted” and so you won't have to generate a code each time on your main computer so this should reduce the inconvenience a little whilst preventing outside access.
• I would suggest that any internal password management solution such as LastPass is strictly defined as internal only, not private. My reasoning is simply that we can’t take responsibility for private details
I agree and LastPass have foreseen this as a potential barrier, they enable the linking of personal (free!) and enterprise accounts so that whilst you could see all your saved credentials in one place, there is a partition between the enterprise managed ones and personal ones, so should an employee leave, they can detach themselves with ease, that said there are multiple other providers such as 1Password which is also great.